Wireguard VPN and Home LAN

Estcom · December 5, 2024, 9:18am

Greetings, I have a question.

In a VPN scenario where the office’s LAN is for example 192.168.1.1 and customer’s home LAN is also 192.168.1.1. Would the Wireguard VPN work without conflicts?

Office: Mikrotik
Home: Wireguard Client

Who tells the PC at home that 192.168.1.X is at the office or at their home? How to prevent this without changing home’s LAN?

Thanks.

holvoetn · December 5, 2024, 9:47am

Connecting 2 subnets with the same IP-range is asking for trouble. You WILL get conflicts.
I’m not saying it can not be done (you still need to take care of overlapping addresses) but you will probably create a lot of other problems.

Changing the home subnet is the best option in my view.

One of the reasons I choose 192.168.2.0/24 as home subnet. It’s not that common and mostly avoids such issues.

Having said that … why do you think it is a good idea to put a non-controlled customer home LAN and work LAN directly connected to each other ??
Or is it only the client PC which needs the connection as well as e.g. a local printer ?

Maybe clarify first exactly what you try to achieve with a small diagram (can be on paper) ?

Estcom · December 5, 2024, 9:56am

Customer wants to be able to access to Office’s NAS and SERVER from its home. So he needs to be able to see those devices via VPN from his home. I also think that changing home’s LAN is the best option.
However, I hate people who use 192.168.1.1 in offices…

Estcom · December 5, 2024, 12:03pm

Connecting 2 subnets with the same IP-range is asking for trouble. You WILL get conflicts.
I’m not saying it can not be done (you still need to take care of overlapping addresses) but you will probably create a lot of other problems.

Changing the home subnet is the best option in my view.

One of the reasons I choose 192.168.2.0/24 as home subnet. It’s not that common and mostly avoids such issues.

Having said that … why do you think it is a good idea to put a non-controlled customer home LAN and work LAN directly connected to each other ??
Or is it only the client PC which needs the connection as well as e.g. a local printer ?

Maybe clarify first exactly what you try to achieve with a small diagram (can be on paper) ?

Customer wants to be able to access to Office’s NAS and SERVER from its home. So he needs to be able to see those devices via VPN from his home. I also think that changing home’s LAN is the best option.
However, I hate people who use 192.168.1.1 in offices…

My other solution would be DST-NAT.

Basically if the home’s PC with 192.168.1.10 wants to see office’s NAS via VPN with 192.168.1.50 (while for example there’s a smart plug having 192.168.1.50 at home) I would have to make a DST-NAT with a random different DUMMY address (192.168.222.50), source address would be home’s PC tunnel IP and Mikrotik would DST-NAT it to the correct 192.168.1.50 at the office. Would that work or there’s still a chance that Mikrotik would redirect it to home’s 192.168.1.50?

holvoetn · December 5, 2024, 12:23pm

Again theoretically… yes but you see what rabbit hole you’re going to get into ?
What if there is another device with overlapping IP address ?

Again:
is it only the PC of the USER requiring access ? In that case the issue might be a lot less.
Simply (during that session) let all traffic go over VPN towards company network.

Or change subnet scheme on local end.

Hispithee · December 5, 2024, 2:24pm

Use subnet translation or NAT to avoid conflicting LANs.

Estcom · December 6, 2024, 3:52pm

Yes.

How?

Thanks

holvoetn · December 6, 2024, 5:07pm

Use 0.0.0.0/0 as allowed addresses.
Everything will go down the tunnel then.